[prev in list] [next in list] [prev in thread] [next in thread]
List: bouncycastle-crypto-dev
Subject: Re: [dev-crypto] JDKPKCS12KeyStore and preserving order of chain
From: David Hook <dgh () lockboxlabs ! com>
Date: 2008-10-27 0:34:29
Message-ID: 1225067669.5424.4.camel () echidna
[Download RAW message or body]
We could probably do something about this - it would only work for a
single key/cert chain though. The truth is there is not a "proper" order
for a certificate chain in a PKCS#12 file, and any software that assumes
it can reconstruct the certificate chain for a private key on the basis
of the order of certificates in a CertBag is totally broken.
I'm assuming they think of proper order as the same as for the Java
version of the certificate chain?
Regards,
David
On Thu, 2008-10-23 at 01:41 -0700, Alexander Korobov wrote:
> Hi,
>
> I'm looking into JDKPKCS12KeyStore source code and it seems it does not
> preserve order of certificates given in KeyStore.setKeyEntry(...) since all
> chain certificates are kept in hash map.
>
> This results into engineStore writing chain certificates in arbitrary order.
> This behavior is different from one of openssl which actually preserves
> certificate order.
>
> Is there any reason JDKPKCS12KeyStore would not want to preserve order of
> chain certificates?
>
> (The background of the question is software I'm working on is expecting
> pkcs12 files to contain certificate chain in proper order.)
>
> Thanks,
> Alex
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic